-- Copyright (c) HashiCorp, Inc.
-- SPDX-License-Identifier: MPL-2.0

begin;

  -- dropping these foreign keys because they were never needed
  alter table credential_static_store drop constraint iam_scope_fkey;
  alter table credential_vault_store drop constraint iam_scope_fkey;

  alter table credential_store rename column scope_id to project_id;
  alter table credential_store rename constraint credential_store_scope_id_public_id_uq to credential_store_project_id_public_id_uq;
  drop trigger immutable_columns on credential_store;
  create trigger immutable_columns before update on credential_store
    for each row execute function immutable_columns('public_id', 'project_id');

  -- insert_credential_store_subtype() is a before insert trigger
  -- function for subtypes of credential_store.
  -- Replaces the insert_credential_store_subtype function defined in 10/03_credential.up.sql
  create or replace function insert_credential_store_subtype() returns trigger
  as $$
  begin
    insert into credential_store
      (public_id, project_id)
    values
      (new.public_id, new.project_id);
    return new;
  end;
  $$ language plpgsql;
  comment on function insert_credential_store_subtype() is
    'insert_credential_store_subtype() is a before insert trigger function that should be added to all credential_store subtype tables.';

  alter table credential_vault_store rename column scope_id to project_id;
  alter table credential_vault_store rename constraint credential_vault_store_scope_id_name_uq to credential_vault_store_project_id_name_uq;
  drop trigger immutable_columns on credential_vault_store;
  create trigger immutable_columns before update on credential_vault_store
    for each row execute function immutable_columns('public_id', 'project_id', 'create_time');

  alter table credential_static_store rename column scope_id to project_id;
  alter table credential_static_store rename constraint credential_static_store_scope_id_name_uq to credential_static_store_project_id_name_uq;
  drop trigger immutable_columns on credential_static_store;
  create trigger immutable_columns before update on credential_static_store
    for each row execute function immutable_columns('public_id', 'project_id', 'create_time');

  -- update views
  drop view credential_vault_store_public;
  drop view credential_vault_library_public;
  drop view credential_vault_library_private;
  drop view credential_vault_store_private;
  drop view credential_vault_credential_private;

  -- Replaced in 49/01_vault_credentials.up.sql
  create view credential_vault_store_private as
  with
    active_tokens as (
      select token_hmac,
            token, -- encrypted
            store_id,
            create_time,
            update_time,
            last_renewal_time,
            expiration_time,
            -- renewal time is the midpoint between the last renewal time and the expiration time
            last_renewal_time + (expiration_time - last_renewal_time) / 2 as renewal_time,
            key_id,
            status
      from credential_vault_token
      where status in ('current', 'maintaining', 'revoke')
    )
  select store.public_id          as public_id,
        store.project_id          as project_id,
        store.name                as name,
        store.description         as description,
        store.create_time         as create_time,
        store.update_time         as update_time,
        store.delete_time         as delete_time,
        store.version             as version,
        store.vault_address       as vault_address,
        store.namespace           as namespace,
        store.ca_cert             as ca_cert,
        store.tls_server_name     as tls_server_name,
        store.tls_skip_verify     as tls_skip_verify,
        store.public_id           as store_id,
        store.worker_filter       as worker_filter,
        token.token_hmac          as token_hmac,
        token.token               as ct_token, -- encrypted
        token.create_time         as token_create_time,
        token.update_time         as token_update_time,
        token.last_renewal_time   as token_last_renewal_time,
        token.expiration_time     as token_expiration_time,
        token.renewal_time        as token_renewal_time,
        token.key_id              as token_key_id,
        token.status              as token_status,
        cert.certificate          as client_cert,
        cert.certificate_key      as ct_client_key, -- encrypted
        cert.certificate_key_hmac as client_cert_key_hmac,
        cert.key_id               as client_key_id
  from credential_vault_store store
        left join active_tokens token
                  on store.public_id = token.store_id
        left join credential_vault_client_certificate cert
                  on store.public_id = cert.store_id;
  comment on view credential_vault_store_private is
    'credential_vault_store_private is a view where each row contains a credential store and the credential store''s data needed to connect to Vault. '
    'The view returns a separate row for each current, maintaining and revoke token; maintaining tokens should only be used for token/credential renewal and revocation. '
    'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';

  -- Replaced in 49/01_vault_credentials.up.sql
  create view credential_vault_store_public as
  select public_id,
        project_id,
        name,
        description,
        create_time,
        update_time,
        version,
        vault_address,
        namespace,
        ca_cert,
        tls_server_name,
        tls_skip_verify,
        worker_filter,
        token_hmac,
        token_create_time,
        token_update_time,
        token_last_renewal_time,
        token_expiration_time,
        client_cert,
        client_cert_key_hmac
  from credential_vault_store_private
  where token_status = 'current'
    and delete_time is null;
  comment on view credential_vault_store_public is
    'credential_vault_store_public is a view where each row contains a credential store. '
    'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';

  -- Replaced in 49/01_vault_credentials.up.sql
  create view credential_vault_library_private as
  with
    password_override (library_id, username_attribute, password_attribute) as (
      select library_id,
            nullif(username_attribute, wt_to_sentinel('no override')),
            nullif(password_attribute, wt_to_sentinel('no override'))
      from credential_vault_library_username_password_mapping_override
    ),
    ssh_private_key_override (library_id, username_attribute, private_key_attribute, private_key_passphrase_attribute) as (
      select library_id,
            nullif(username_attribute, wt_to_sentinel('no override')),
            nullif(private_key_attribute, wt_to_sentinel('no override')),
            nullif(private_key_passphrase_attribute, wt_to_sentinel('no override'))
      from credential_vault_library_ssh_private_key_mapping_override
    )
    select library.public_id       as public_id,
        library.store_id          as store_id,
        library.name              as name,
        library.description       as description,
        library.create_time       as create_time,
        library.update_time       as update_time,
        library.version           as version,
        library.vault_path        as vault_path,
        library.http_method       as http_method,
        library.http_request_body as http_request_body,
        library.credential_type   as credential_type,
        store.project_id          as project_id,
        store.vault_address       as vault_address,
        store.namespace           as namespace,
        store.ca_cert             as ca_cert,
        store.tls_server_name     as tls_server_name,
        store.tls_skip_verify     as tls_skip_verify,
        store.worker_filter       as worker_filter,
        store.token_hmac          as token_hmac,
        store.ct_token            as ct_token, -- encrypted
        store.token_key_id        as token_key_id,
        store.client_cert         as client_cert,
        store.ct_client_key       as ct_client_key, -- encrypted
        store.client_key_id       as client_key_id,
        coalesce(upasso.username_attribute,sshpk.username_attribute)
                                  as username_attribute,
        upasso.password_attribute              as password_attribute,
        sshpk.private_key_attribute            as private_key_attribute,
        sshpk.private_key_passphrase_attribute as private_key_passphrase_attribute
      from credential_vault_library library
        join credential_vault_store_private store
              on library.store_id = store.public_id
        left join password_override upasso
                  on library.public_id = upasso.library_id
                    and store.token_status = 'current'
        left join ssh_private_key_override sshpk
                  on library.public_id = sshpk.library_id
                    and store.token_status = 'current';
  comment on view credential_vault_library_private is
    'credential_vault_library_private is a view where each row contains a credential library and the credential library''s data needed to connect to Vault. '
    'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';

  -- Replaced in 49/01_vault_credentials.up.sql
  create view credential_vault_library_public as
  select public_id,
        store_id,
        name,
        description,
        create_time,
        update_time,
        version,
        vault_path,
        http_method,
        http_request_body,
        credential_type,
        worker_filter,
        username_attribute,
        password_attribute,
        private_key_attribute,
        private_key_passphrase_attribute
  from credential_vault_library_private;
  comment on view credential_vault_library_public is
    'credential_vault_library_public is a view where each row contains a credential library and any of library''s credential mapping overrides. '
    'No encrypted data is returned. This view can be used to retrieve data which will be returned external to boundary.';

  -- Replaces view from 41/01_worker_filter_vault_cred_store.up.sql
  -- Recreated in 56/02_add_data_key_foreign_key_references.up.sql
  create view credential_vault_credential_private as
  select credential.public_id         as public_id,
        credential.library_id        as library_id,
        credential.session_id        as session_id,
        credential.create_time       as create_time,
        credential.update_time       as update_time,
        credential.version           as version,
        credential.external_id       as external_id,
        credential.last_renewal_time as last_renewal_time,
        credential.expiration_time   as expiration_time,
        credential.is_renewable      as is_renewable,
        credential.status            as status,
        credential.last_renewal_time + (credential.expiration_time - credential.last_renewal_time) / 2 as renewal_time,
        token.token_hmac             as token_hmac,
        token.token                  as ct_token, -- encrypted
        token.create_time            as token_create_time,
        token.update_time            as token_update_time,
        token.last_renewal_time      as token_last_renewal_time,
        token.expiration_time        as token_expiration_time,
        token.key_id                 as token_key_id,
        token.status                 as token_status,
        store.project_id             as project_id,
        store.vault_address          as vault_address,
        store.namespace              as namespace,
        store.ca_cert                as ca_cert,
        store.tls_server_name        as tls_server_name,
        store.tls_skip_verify        as tls_skip_verify,
        store.worker_filter          as worker_filter,
        cert.certificate             as client_cert,
        cert.certificate_key         as ct_client_key, -- encrypted
        cert.certificate_key_hmac    as client_cert_key_hmac,
        cert.key_id                  as client_key_id
  from credential_vault_credential credential
        join credential_vault_token token
              on credential.token_hmac = token.token_hmac
        join credential_vault_store store
              on token.store_id = store.public_id
        left join credential_vault_client_certificate cert
                  on store.public_id = cert.store_id
  where credential.expiration_time != 'infinity'::date;
  comment on view credential_vault_credential_private is
    'credential_vault_credential_private is a view where each row contains a credential, '
    'the vault token used to issue the credential, and the credential store data needed to connect to Vault. '
    'Each row may contain encrypted data. This view should not be used to retrieve data which will be returned external to boundary.';

commit;
